Operational risk may sound like a hybridised board game for lonely 12-year-olds but it’s actually an extremely important factor in the successful operation of any business.
According to CIO.co.uk:
“Operational risk is defined (after Basel II) as the risk of monetary losses as a result of faults and / or errors in process, technology or skills or due to external factors. Operational risk may also include other risks such as fraud, legal, physical, and environmental risks.”
While any business represents operational risk to some extent there are certain roles that bear its responsibility more than others. Generally when it comes to operations risk, the buck stops with the Chief Operations Officers (COO), Chief Information Officers (CIO) or operations manager but changes to the work environment bring with them new operational risks.
CIOs, for example, lose a lot of sleep over operational risk due not only to the intrinsic risks presented by IT, but the enormous reliance on IT in today’s workplace.
How many news reports have you read where operations have been severely compromised, or even ground to a halt by a single point of software failure.
For all the potential dangers presented by operational risk, there are numerous safeguards for every business at every level to prevent or manage risk. Consider these your success factors in minimising risk and sleeping better at night.
In the wake of the 2008 financial crisis, the insurance industry has invested a great deal of time and effort into the identification and quantification of operational risk. This has spread across industries too. Hiring a contractor for a big job? Ask them to take out professional indemnity insurance. This way, if you need to sue them for negligence (fingers crossed you won’t have to do this, see point about training remote workers) you won’t be walking away from court empty-handed.
Remember – you can’t sue the pants off someone with no pants. So make sure your contractors are wearing pants/have insurance. Please.
Equipment, from jackhammers to VDUs are a source of potential operational risk. Ensuring that equipment is used correctly, well maintained and only accessible to those qualified to use it is an essential factor in risk management.
Very few of today’s businesses find themselves in a position whereby they never have to handle or maintain confidential or sensitive data. The cost of improper data security can be catastrophic.
Health and safety
It is a very cavalier business indeed that gambles with the health and safety of its employees. Ensuring employees are compliant with the particular health and safety risks of their role (such as equipment handling, food hygiene or COSHH) is absolutely vital.
Training for remote workers and freelancers
These workers can be a flexible and useful work source but don’t let them be the weak link in your risk management strategy. Ensure that they have enough training to be compliant in important fields like Information Governance.
In order to run a risk-managed business, ensuring that your supplier is compliant in all the relevant processes and procedures is essential. Low prices can be attractive at first but failing to due your due diligence on a supplier for the sake of a favourable rate may come back to bite you.
Cash flow and credit worthiness (credit checks)
It’s easy to dismiss as “common sense” but 2008 taught us the dangers of irresponsible and speculative lending. Ensure that your due diligence on all with whom you do business is comprehensive and that they have the credit and cash-flow to meet your demands.
Supplier litigation can be a long, bitter and costly process. Picture a particularly messy divorce where one party is being obstinately uncooperative and the other has hundreds or thousands of mouths to feed and you have the right of it. The time and monetary investment presented by the proper appraisal procedure pales in comparison.
Early warning systems
Prevention tends to be the most effective form of risk management and this can be achieved by ensuring that you have clearly defined (and quantifiable) Key Risk Indicators (KRIs). The specific nature of these will depend on the nature of the business and are therefore left for you to define but make sure they are;
- Measurable – What are we benchmarking against?
- Predictable – They are early warning systems after all.
- Comparable – to enable you to spot and predict trends.
- Informational – To give you a measure of the risk and how to control it.
Accountability and traceability in information systems
Can you see who the last person was to edit that document? Do you know who’s read that email? You don’t want your business to be an Orwellian state but this measure of control will go a long way in combating operational risk.
Operational risk sounds all doom gloom, but once you’ve integrated the minimisation thereof into your business culture it becomes second nature.